Another day, another government attempts to control the internet after Kazakhstan has started forcefully requiring its citizens to obtain government-issued certificates after they’ve begun intercepting HTTPs traffic.
The Kazakhstan government has issued an advisory to the country’s internet service providers (ISPs), ordering it to make it mandatory for their users to install government-issued root certificates before allowing them to gain access to the internet.
Law of the Republic of Kazakhstan on Communications, Article 26 and Clause 11 of the Rules for Issuing and Applying a Security Certificate, all ISPs are required to monitor the encrypted Internet traffic of their customers using government-issued security certificates. The latest advisory sent to the country’s telecommunication providers is under the most recent amendment on the said legislation which would make it mandatory for users to install government-issued security certificates.
How exactly does the decryption work?
The Hacker News explained it by saying that “for those unaware, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system.”
By compelling internet users to install government-issued certificates, the ISPs can generate valid digital certificates for any domain they want to intercept through a user’s HTTPS traffic. By this policy, users will no longer be able to access HTTPS traffic that is not “allowed” by the government.
Internet Service Providers have started informing their customers regarding installing government-issued certificates in their devices and browsers since April this year so they can continue browsing the internet without their HTTPS traffic being redirected.
Now, ISPs started redirecting HTTPS traffic of users who have not installed government-issued certificates in their devices to a web page that explains how to do it, why they do it, and what happens if the users don’t do it.
Tele2, one of the major ISP in Kazakhstan, is redirecting their users to a webpage that includes the certificate files as well as for instructions on how to install the certificate on Windows, macOS, Android, and iOS devices.
“In accordance with the Law of the Republic of Kazakhstan on Communications, Article 26 and Clause 11 of the Rules for Issuing and Applying a Security Certificate, communications operators ensure the distribution of a security certificate to their subscribers with whom they have contracts for the provision of communications services,” the Tele2 advisory reads.
“The law prescribes for carriers to pass traffic using protocols that support encryption using a security certificate, with the exception of traffic encrypted by means of cryptographic protection of information in the Republic of Kazakhstan. A security certificate is a set of electronic digital characters used to pass traffic that contains protocols that support encryption.”
Beeline, another ISP from Kazakhstan has also announced that it will soon intercept HTTPS traffic that doesn’t run with a government-issued certificate. Other internet service providers with the plans to follow through the legislation that mandates the installation of the government-issued certificate include:
- Active (also lists allowed HTTPS websites)
Active posted a catalog of approved HTTPs websites in different categories like literature, arts and culture, social network, and sports and tourism. Interestingly, in the list of social networks, only search engines are allowed, and social media platforms like Facebook and Twitter are not included in the list. Some of the search engines and website listed in the permitted HTTPs website catalog are:
- Full list of “allowed” websites can be accessed here.
However, security and tech experts warn that the way this policy is being implemented carries a great amount of risk. For one, since users who are yet to install government certificates, they can only access websites without HTTPS connections. This means that the certificate files can be downloaded only from unsecured websites which hackers can exploit and replace the certificate files using MiTM attacks.